@@ -194,6 +194,102 @@ kubectl create secret generic 1passwordconnect \
194194- ** SOPS** : Used for encrypting Talos secrets
195195- ** No plaintext secrets in Git**
196196
197+ ## 🗄️ MinIO S3 Backup Configuration
198+
199+ This cluster uses ** TrueNAS Scale MinIO** for S3-compatible storage backups, particularly for Longhorn persistent volume backups.
200+
201+ ### MinIO Setup on TrueNAS Scale
202+
203+ 1 . ** Install MinIO App** in TrueNAS Scale Apps
204+ 2 . ** Access MinIO Console** at ` http://192.168.10.133:9002 `
205+ 3 . ** Configure via MinIO Client (mc)** :
206+
207+ ``` bash
208+ # Access MinIO container shell in TrueNAS
209+ sudo docker exec -it < minio_container_name> /bin/sh
210+
211+ # Set up MinIO client alias (use your MinIO root credentials)
212+ mc alias set local http://localhost:9000 minio < your-root-password>
213+
214+ # Verify connection
215+ mc admin info local
216+
217+ # Create dedicated user for Longhorn backups
218+ mc admin user add local longhorn-user SecurePassword123!
219+
220+ # Create service account for the user (generates access keys)
221+ mc admin user svcacct add local longhorn-user --name " longhorn-backup-access"
222+ # Output: Access Key: ABC123XYZ789EXAMPLE0
223+ # Output: Secret Key: ExampleSecretKey123+RandomChars/ForDocumentation
224+
225+ # Create backup bucket
226+ mc mb local/longhorn-backups
227+
228+ # Create IAM policy for Longhorn bucket access
229+ cat > /tmp/longhorn-policy.json << 'EOF '
230+ {
231+ "Version": "2012-10-17",
232+ "Statement": [
233+ {
234+ "Effect": "Allow",
235+ "Action": [
236+ "s3:GetBucketLocation",
237+ "s3:ListBucket",
238+ "s3:ListBucketMultipartUploads"
239+ ],
240+ "Resource": "arn:aws:s3:::longhorn-backups"
241+ },
242+ {
243+ "Effect": "Allow",
244+ "Action": [
245+ "s3:GetObject",
246+ "s3:PutObject",
247+ "s3:DeleteObject",
248+ "s3:AbortMultipartUpload",
249+ "s3:ListMultipartUploadParts"
250+ ],
251+ "Resource": "arn:aws:s3:::longhorn-backups/*"
252+ }
253+ ]
254+ }
255+ EOF
256+
257+ # Apply the policy
258+ mc admin policy create local longhorn-backup-policy /tmp/longhorn-policy.json
259+ mc admin policy attach local longhorn-backup-policy --user longhorn-user
260+
261+ # Verify setup
262+ mc ls local/longhorn-backups
263+ ```
264+
265+ ### 1Password Secret Management
266+
267+ Store MinIO credentials securely in 1Password:
268+
269+ 1 . ** Create 1Password item** named ` minio `
270+ 2 . ** Add fields** :
271+ - ` minio_access_key ` : ` ABC123XYZ789EXAMPLE0 `
272+ - ` minio_secret_key ` : ` ExampleSecretKey123+RandomChars/ForDocumentation `
273+ - ` minio_endpoint ` : ` http://192.168.10.133:9000 `
274+
275+ ### Longhorn S3 Backup Configuration
276+
277+ The cluster automatically configures Longhorn to use MinIO via:
278+
279+ - ** External Secret** : ` infrastructure/storage/longhorn/externalsecret.yaml `
280+ - ** Backup Settings** : ` infrastructure/storage/longhorn/backup-settings.yaml `
281+ - ** Backup Target** : ` s3://longhorn-backups@us-east-1/ `
282+
283+ ### Backup Schedule
284+
285+ Automated backups are configured with different tiers:
286+
287+ | Data Tier | Snapshot Frequency | Backup Frequency | Retention |
288+ | -----------| -------------------| ------------------| -----------|
289+ | ** Critical** | Hourly | Daily (2 AM) | 30 days |
290+ | ** Important** | Every 4 hours | Daily (3 AM) | 14 days |
291+ | ** Standard** | Daily | Weekly | 4 weeks |
292+
197293## 🔍 Verification
198294``` bash
199295# Check Talos node health
@@ -215,6 +311,14 @@ kubectl get applications -n argocd -l type=application
215311# Check secrets
216312kubectl get pods -n 1passwordconnect
217313kubectl get externalsecret -A
314+
315+ # Verify Longhorn backup configuration
316+ kubectl get backuptarget -n longhorn-system
317+ kubectl get secret longhorn-backup-credentials -n longhorn-system
318+
319+ # Test MinIO connectivity from cluster
320+ kubectl run -it --rm debug --image=minio/mc --restart=Never -- \
321+ mc alias set test http://192.168.10.133:9000 < access-key> < secret-key>
218322```
219323
220324## 📋 Documentation
0 commit comments